b9a72ab0f8bc4d59ae312d10180812944ba25d576f0f755bbd660404c6d70760

Analysis

max time kernel
96s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
Size

2.5MB
MD5

0b80cbf77c836d7bc08dd39830ff1d25
SHA1

ec75e8c9df0ec7fecbe7f9cef1ba8aadcfb729a0
SHA256

b9a72ab0f8bc4d59ae312d10180812944ba25d576f0f755bbd660404c6d70760
SHA512

f9c2ffac067de29886ee24da9acbee6f845a624e15400b9ef085166633ddb0581560d34b5b0ceff9b9823d8d5b86ae1cb8fd2d3610c7a3b2073618dc4370eb18
SSDEEP

49152:kh3Zx0a7hFx9wlkNSC/n1vNVWdKg3RqkLGrZKFKBRGd42CPDIVt:khpZ7zIe84VNEdKg3UklU+dgb

Score

3^/10

discovery

Malware Config

Signatures

Program crash 44 IoCs

pid	pid_target	Process	procid_target
4852	4944	WerFault.exe	81
3316	4944	WerFault.exe	81
4204	4944	WerFault.exe	81
1844	4944	WerFault.exe	81
1068	4944	WerFault.exe	81
1492	4944	WerFault.exe	81
4396	4944	WerFault.exe	81
320	4944	WerFault.exe	81
2440	4944	WerFault.exe	81
4952	4944	WerFault.exe	81
3604	4944	WerFault.exe	81
2696	4944	WerFault.exe	81
2828	4944	WerFault.exe	81
4536	4944	WerFault.exe	81
3496	4944	WerFault.exe	81
1660	4944	WerFault.exe	81
720	4944	WerFault.exe	81
4272	4944	WerFault.exe	81
464	4944	WerFault.exe	81
228	4944	WerFault.exe	81
3552	4944	WerFault.exe	81
3124	4944	WerFault.exe	81
828	4944	WerFault.exe	81
3136	4944	WerFault.exe	81
4312	4944	WerFault.exe	81
2212	4944	WerFault.exe	81
3896	4944	WerFault.exe	81
4400	4944	WerFault.exe	81
4268	4944	WerFault.exe	81
3928	4944	WerFault.exe	81
392	4944	WerFault.exe	81
2412	4944	WerFault.exe	81
3956	4944	WerFault.exe	81
848	4944	WerFault.exe	81
4832	4944	WerFault.exe	81
1452	4944	WerFault.exe	81
4352	4944	WerFault.exe	81
1348	4944	WerFault.exe	81
3292	4944	WerFault.exe	81
4788	4944	WerFault.exe	81
3584	4944	WerFault.exe	81
4300	4944	WerFault.exe	81
4692	4944	WerFault.exe	81
3124	4944	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
Token: 33	3276	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3276	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
4944	0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0b80cbf77c836d7bc08dd39830ff1d25_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4944
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 804
  2⤵
  - Program crash
  PID:4852
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 976
  2⤵
  - Program crash
  PID:3316
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1000
  2⤵
  - Program crash
  PID:4204
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1092
  2⤵
  - Program crash
  PID:1844
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1000
  2⤵
  - Program crash
  PID:1068
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1104
  2⤵
  - Program crash
  PID:1492
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1144
  2⤵
  - Program crash
  PID:4396
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1724
  2⤵
  - Program crash
  PID:320
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1772
  2⤵
  - Program crash
  PID:2440
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1776
  2⤵
  - Program crash
  PID:4952
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1808
  2⤵
  - Program crash
  PID:3604
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1776
  2⤵
  - Program crash
  PID:2696
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1932
  2⤵
  - Program crash
  PID:2828
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1936
  2⤵
  - Program crash
  PID:4536
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1912
  2⤵
  - Program crash
  PID:3496
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1920
  2⤵
  - Program crash
  PID:1660
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 2024
  2⤵
  - Program crash
  PID:720
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1964
  2⤵
  - Program crash
  PID:4272
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 2064
  2⤵
  - Program crash
  PID:464
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1956
  2⤵
  - Program crash
  PID:228
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 2052
  2⤵
  - Program crash
  PID:3552
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1960
  2⤵
  - Program crash
  PID:3124
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 2064
  2⤵
  - Program crash
  PID:828
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 2124
  2⤵
  - Program crash
  PID:3136
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1960
  2⤵
  - Program crash
  PID:4312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 2148
  2⤵
  - Program crash
  PID:2212
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 2188
  2⤵
  - Program crash
  PID:3896
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 2144
  2⤵
  - Program crash
  PID:4400
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1948
  2⤵
  - Program crash
  PID:4268
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1916
  2⤵
  - Program crash
  PID:3928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 2168
  2⤵
  - Program crash
  PID:392
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 2120
  2⤵
  - Program crash
  PID:2412
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 2080
  2⤵
  - Program crash
  PID:3956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 2192
  2⤵
  - Program crash
  PID:848
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 2000
  2⤵
  - Program crash
  PID:4832
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1964
  2⤵
  - Program crash
  PID:1452
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 1924
  2⤵
  - Program crash
  PID:4352
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 2052
  2⤵
  - Program crash
  PID:1348
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 2208
  2⤵
  - Program crash
  PID:3292
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 2276
  2⤵
  - Program crash
  PID:3584
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 2280
  2⤵
  - Program crash
  PID:4788
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 2000
  2⤵
  - Program crash
  PID:4300
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 2120
  2⤵
  - Program crash
  PID:4692
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 2268
  2⤵
  - Program crash
  PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4944 -ip 4944
1⤵
PID:4344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4944 -ip 4944
1⤵
PID:3720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4944 -ip 4944
1⤵
PID:3108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4944 -ip 4944
1⤵
PID:636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4944 -ip 4944
1⤵
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4944 -ip 4944
1⤵
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4944 -ip 4944
1⤵
PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4944 -ip 4944
1⤵
PID:528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4944 -ip 4944
1⤵
PID:2276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4944 -ip 4944
1⤵
PID:592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4944 -ip 4944
1⤵
PID:4156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4944 -ip 4944
1⤵
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4944 -ip 4944
1⤵
PID:2688

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b8 0x154
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4944 -ip 4944
1⤵
PID:916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4944 -ip 4944
1⤵
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4944 -ip 4944
1⤵
PID:3540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4944 -ip 4944
1⤵
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4944 -ip 4944
1⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4944 -ip 4944
1⤵
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4944 -ip 4944
1⤵
PID:1316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4944 -ip 4944
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4944 -ip 4944
1⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4944 -ip 4944
1⤵
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4944 -ip 4944
1⤵
PID:4016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 4944 -ip 4944
1⤵
PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4944 -ip 4944
1⤵
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4944 -ip 4944
1⤵
PID:976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 4944 -ip 4944
1⤵
PID:996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4944 -ip 4944
1⤵
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4944 -ip 4944
1⤵
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 4944 -ip 4944
1⤵
PID:2808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4944 -ip 4944
1⤵
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4944 -ip 4944
1⤵
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4944 -ip 4944
1⤵
PID:3600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4944 -ip 4944
1⤵
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 4944 -ip 4944
1⤵
PID:5036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4944 -ip 4944
1⤵
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 4944 -ip 4944
1⤵
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4944 -ip 4944
1⤵
PID:3200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4944 -ip 4944
1⤵
PID:1488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4944 -ip 4944
1⤵
PID:116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4944 -ip 4944
1⤵
PID:3216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4944 -ip 4944
1⤵
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4944 -ip 4944
1⤵
PID:64

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\deprecated.cookie

Filesize
91B

MD5
99bde3452748e34d6c50275110a6a8d4

SHA1
e79cb2a8db7d8490523529d3861f95ba73a20c23

SHA256
d07311acf641866e7e84823d2962f593bb655792301dc61ad6f0c6869d9c5937

SHA512
19fd529c6fe60bbbe3710fed93f14d723a13ad427431f855ed84f5e5e496b9f3eb8a6e8c31d740239eb225753d52a4f464b489fdbdeff4477480026263d0f691

Download Submit
memory/4944-4-0x0000000000401000-0x00000000018AD000-memory.dmp

Filesize
20.7MB

Download
memory/4944-11-0x0000000000400000-0x00000000018C8000-memory.dmp

Filesize
20.8MB

Download
memory/4944-2-0x0000000000400000-0x00000000018C8000-memory.dmp

Filesize
20.8MB

Download
memory/4944-0-0x0000000000400000-0x00000000018C8000-memory.dmp

Filesize
20.8MB

Download
memory/4944-5-0x0000000003470000-0x00000000036D2000-memory.dmp

Filesize
2.4MB

Download
memory/4944-7-0x0000000001A90000-0x0000000001A91000-memory.dmp

Filesize
4KB

Download
memory/4944-3-0x0000000001A90000-0x0000000001A91000-memory.dmp

Filesize
4KB

Download
memory/4944-9-0x0000000000400000-0x00000000018C8000-memory.dmp

Filesize
20.8MB

Download
memory/4944-6-0x0000000000400000-0x00000000018C8000-memory.dmp

Filesize
20.8MB

Download
memory/4944-10-0x0000000000400000-0x00000000018C8000-memory.dmp

Filesize
20.8MB

Download
memory/4944-8-0x0000000000401000-0x00000000018AD000-memory.dmp

Filesize
20.7MB

Download
memory/4944-1-0x0000000003470000-0x00000000036D2000-memory.dmp

Filesize
2.4MB

Download
memory/4944-19-0x0000000000400000-0x00000000018C8000-memory.dmp

Filesize
20.8MB

Download
memory/4944-20-0x0000000000400000-0x00000000018C8000-memory.dmp

Filesize
20.8MB

Download
memory/4944-21-0x0000000000401000-0x00000000018AD000-memory.dmp

Filesize
20.7MB

Download